美好的一天开发商。 我有问题。在我的web应用程序中,我使用弹簧安全。我有2个简单的角色:用户,管理员。对于这些规则中的每一个,我都有自己的密码,因为所有人对我的网络应用都有不同的访问权限。因此,我现在将所有密码存储在SHA-256哈希编码的security.xml中:将密码存储在xml security-context.xml或数据库中的最佳实践?
<security:http pattern="/search" security="none" />
<security:http auto-config="true" >
<security:session-management session-fixation-protection="migrateSession"/>
<security:intercept-url pattern="/input" access="ROLE_ADMIN, ROLE_USER"/>
<security:intercept-url pattern="/delete" access="ROLE_ADMIN"/>
<security:form-login login-page="/login"
authentication-failure-url="/loginfail"
default-target-url="/input"
always-use-default-target="true"
username-parameter="j_username"
password-parameter="j_password" />
<security:logout logout-success-url="/logout"/>
<security:session-management>
<security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</security:session-management>
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:password-encoder hash="sha-256"/>
<security:user-service>
<security:user name="user" password="04f8996da763b7a969b1028ee3007569eaf3a635486ddab211d512c85b9df8fb" authorities="ROLE_USER"/>
<security:user name="admin" password="8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918" authorities="ROLE_ADMIN"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
这真的是个好主意吗?也许需要将它们存储在DB(例如H2)中以获得更多保护。
<bean id="dataSource" class="com.mchange.v2.c3p0.ComboPooledDataSource"> <!-- Using and configuring C3P0 proxy -->
<property name="driverClass"><value>org.h2.Driver</value></property>
<property name="jdbcUrl"><value>jdbc:h2:/home/vadim/workspace-sts-3.1.0.RELEASE/h2/EDUCATION</value></property>
<property name="user"><value>sa</value></property>
<property name="password" ><value></value></property>
<property name="initialPoolSize"><value>3</value></property> <!-- Number of Connections a pool will try to acquire upon startup -->
<property name="minPoolSize"><value>1</value></property> <!-- Minimum connection pool size -->
<property name="maxPoolSize"><value>20</value></property> <!-- Max connection pool size -->
<property name="maxConnectionAge"><value>3600</value></property> <!-- Set max connection age to 1 hour, after it will release -->
<property name="maxIdleTime"><value>600</value></property> <!-- 10 minutes connection can stay unused before be discarded -->
<property name="checkoutTimeout"><value>200000</value></property> <!-- Each what time check for unused connections -->
</bean>
现在我的密码是空白的,但我应该有一个。如何保护它?
谢谢。
您的最佳保护是保护您的数据存储。无论是数据库,平面文件还是其他任何内容都无关紧要。如果暴露出来,密码开始找到真的只是一个时间问题。 –
好吧我使用数据库在我的app-config.xml中配置数据源,我真的不知道如何隐藏它。对应您的回复,我如何保护它。为了更多的理解,我添加将添加我的app-config.xml。谢谢科林。 –